problem in htmlentities() and mysql_real_escape_string()

[rhodarose]

Good day!

I add code for htmlentities and mysql_real_escape_string because my boss told me.
But in my machine1.php when I add htmlentities() code I got some notice

Notice: Undefined variable: emp_id in C:\xampp\htdocs\machine_1\machine1.php on line 86

Notice: Undefined variable: lname in C:\xampp\htdocs\machine_1\machine1.php on line 87

Notice: Undefined variable: fname in C:\xampp\htdocs\machine_1\machine1.php on line 88

Notice: Undefined variable: bday in C:\xampp\htdocs\machine_1\machine1.php on line 89

here is my machine1.php

PHP Code:

<?php
session_start(); 
if(empty($_SESSION['logged_in'])) {
    header('Location:index.php');
    die();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Untitled Document</title>

</head>
 <body>
 <form name="machine1" action="machine1.php" method="post">
 
 <p>
  <?php
 
   $sort = "ASC";
  $data_sort = "Emp_ID";
  
  if(isset($_GET['sorting']))
    {
        if($_GET['sorting'] == 'ASC'){
            $sort = "DESC";
        }
        else{
            $sort = "ASC";
        }
    }
    
    
    if (isset($_GET['field_name'])) {
        if($_GET['field_name']  == 'Emp_ID'){
            $data_sort = "Emp_ID";
        }
        elseif($_GET['field_name'] == 'Last_Name'){
            $data_sort = "Last_Name";
        }
        elseif($_GET['field_name'] == 'First_Name'){
            $data_sort = "First_Name";
        }
        elseif($_GET['field_name'] == 'Birthday'){
            $data_sort = "Birthday";
        }
    }
 ?>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href="logout.php">Sign Out</a> </p>
 <table border="1">
   <tr>
 <td><a href="machine1.php?sorting=<?php echo $sort; ?>&field_name=Emp_ID">Emp ID</a></td>
 <td><a href="machine1.php?sorting=<?php echo $sort; ?>&field_name=Last_Name">Last Name</a></td>
 <td><a href="machine1.php?sorting=<?php echo $sort; ?>&field_name=First_Name">First Name</a></td>
 <td><a href="machine1.php?sorting=<?php echo $sort; ?>&field_name=Birthday">Birthday</a></td>
 <td>Option</td>
 </tr>
 
<?php 
include 'connection.php';

if (isset($_GET['pageno'])) {
   $pageno = $_GET['pageno'];
} else {
   $pageno = 1;
} 
$query = "SELECT count(*) FROM tbl_machine1";
$result = mysql_query($query) or trigger_error("SQL", E_USER_ERROR);
$query_data = mysql_fetch_row($result);
$numrows = $query_data[0];

$rows_per_page = 5;
$lastpage      = ceil($numrows/$rows_per_page);

$pageno = (int)$pageno;
if ($pageno > $lastpage) {
   $pageno = $lastpage;
} 
if ($pageno < 1) {
   $pageno = 1;
} 

$limit = 'LIMIT ' .($pageno - 1) * $rows_per_page .',' .$rows_per_page;

$emp_id = htmlentities($emp_id);
$lname = htmlentities($lname);
$fname = htmlentities($fname);
$bday = htmlentities($bday);

$query = "SELECT * FROM tbl_machine1 ORDER BY $data_sort $sort $limit";
$result = mysql_query($query) or trigger_error("SQL", E_USER_ERROR);


while($info = mysql_fetch_array( $result ))
{
    $emp_id = $info['Emp_ID'];
    $lname = $info['Last_Name'];
    $fname = $info['First_Name'];
    $bday = $info['Birthday'];
    $date = date('d-m-Y', strtotime($bday));
    ?>
    <tr>
    <td><?php echo $emp_id;?> </td>
    <td><?php echo $lname;?> </td>
    <td><?php echo $fname;?> </td>
    <td><?php echo $date;?> </td>
       <td><a href = 'edit.php?id=<?php echo $emp_id; ?>'>Edit</a> <a href='delete.php?id=<?php echo $emp_id; ?>' onClick="return confirm('Are you sure you want to delete?')">Delete</a></td>
    </tr>
    <?php
}
?>
    </table>
     <A HREF="javascript:void(0)" onClick="window.open('add.php','welcome','width=300,height=200')">
<input type="button" name="add" value="ADD"> </A>&nbsp;&nbsp;

<?php

 if(isset($_GET['sorting']))
    {
        if($_GET['sorting'] == 'ASC'){
            $sort = "ASC";
        }
        else{
            $sort = "DESC";
        }
    }
                
if ($pageno == 1) {
   echo " FIRST PREV ";
} else {
 ?>
 <a href="machine1.php?pageno=1&field_name=<?php echo $data_sort; ?>&sorting=<?php echo $sort; ?>">FIRST</a>
<?php
   $prevpage = $pageno-1;
?>
   <a href="machine1.php?pageno=<?php echo $prevpage;?>&field_name=<?php echo $data_sort; ?>&sorting=<?php echo $sort; ?>">PREV</a>
 
<?php
}
echo " ( Page $pageno of $lastpage ) ";

if ($pageno == $lastpage) {
   echo " NEXT LAST ";
} else {
   $nextpage = $pageno+1;

 ?>
 
    <a href="machine1.php?pageno=<?php echo $nextpage; ?>&field_name=<?php echo $data_sort; ?>&sorting=<?php echo $sort; ?>">NEXT</a>
       <a href="machine1.php?pageno=<?php echo $lastpage; ?>&field_name=<?php echo $data_sort; ?>&sorting=<?php echo $sort; ?>">LAST</a> 
 <?php
}

?>
 </body>
 </html>

then in my edit.php the htmlentities did not work and when I edit my data and I add " at the end of the lastname like for example Amy" and I click the update button the display is Amy" and when I tried to edit again the " did not appear. Also the date when I click edit button the date appear in textbox as YYYY-MM-DD that should be DD-MM-YYYY and when I edit the date the display data is DD-MM-YYYY which is correct my only problem in date is when it display in edit.

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<body>
<form method="post" action="" name="edit">
<?php
error_reporting(0);

include 'connection.php';

$id=$_GET['id'];

$lname = htmlentities($lname);
$fname = htmlentities($fname);
$bday = htmlentities($bday);

$data_p = mysql_query("SELECT * FROM tbl_machine1 WHERE Emp_ID = $id") or die(mysql_error());
while($info = mysql_fetch_array( $data_p ))
{
    $emp_id = $info['Emp_ID'];
    $lname = $info['Last_Name'];
    $fname = $info['First_Name'];
    $bday = $info['Birthday'];
    
    $date = date('Y-m-d', strtotime($bday));
}
    





?>


Last Name:&nbsp;<input type="text" name="Last_Name" id="Last_Name" value="<?php echo $lname; ?>"><br/><br/>
First Name:&nbsp;<input type="text" name="First_Name" id="First_Name" value="<?php echo $fname; ?>"><br/><br/>
Birthday:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="text" name="date" id="date" value="<?php echo $date; ?>"><br/><br/>
<input type="submit" name="update" value="UPDATE">
</form>
</body>
</html>

<?php
mysql_connect("localhost", "root", "") or die(mysql_error()); 
mysql_select_db("db_machine1") or die(mysql_error()); 
//$timestamp = strtotime('%e/%m/%Y');

if(isset($_POST['update'])){
$id=$_GET['id'];    
$Lname=$_POST['Last_Name'];
$Fname=$_POST['First_Name'];
$bday=$_POST['date'];
$date = date('Y-m-d', strtotime($bday));



$Lname = mysql_real_escape_string($Lname);
$Fname = mysql_real_escape_string($Fname);
$date = mysql_real_escape_string($date);

mysql_query("UPDATE tbl_machine1 SET Last_Name = '".$Lname."', First_Name = '".$Fname."', Birthday = '".$date."' WHERE Emp_ID = '".$id."' ");
header ('Location:machine1.php');
}
?>

Kindly help me to check my syntax

Thank you

[fastsol1]

It's because you are applying the htmlentities to variables that have no value. You aren't even giving the $emp_id and so any value until after your query to it's not doing anything.
It needs to be this

PHP Code:

$emp_id = $info['Emp_ID'];
    $lname =  htmlentities($info['Last_Name']);
    $fname =  htmlentities($info['First_Name']);
    $bday = $info['Birthday']; 


Then get rid of the vars you made that are giving the error. Also there is no need to put htmlentities on the $bday cause it will neve need to be filtered cause your table will only allow a date in the table if you assigned the column to be a date format, along with the $emp_id if you have the column set to INT.

As for the mysql_real_escape_string(), this is where to use that.

PHP Code:

$Lname=mysql_real_escape_string($_POST['Last_Name']);
$Fname=mysql_real_escape_string($_POST['First_Name']); 


If you have your table columns set up properly based on what type of info you are putting in it, you won't have to filter all aspects.